2

I've to make a small demonstration about how to make a MySQL Injection and how to protect us against them. I already know exactly how to protect our application for then, but I've some question about SQL injection.

A created a simple dummy website for the demonstration, on which I've added a search field. This search field isn't protected so subject to SQL injection.

I already made some example, like how to retrieve some global info on the database(version, current user, database name), inserting a " 'UNION SELECT [MyInteresstingFields] From [mytable]; --", but my question is:

What is the next step? Is it possible to alter the database? How? I don't see, because mysql_query(it's a php website using cakePhp) only runs one request, so how alter a SELECT request to make a change in the database?(e.g. insert, edit or anything else, doesn't matter, it's only to show them what can be the result).

Johan
77.3k27 gold badges203 silver badges345 bronze badges
asked Jul 21, 2011 at 8:46
1
  • You can demo out how to count the number of columns, with a series of injections, sequentially increasing in parameter count until you match it. Yes you can ALTER a table or delete it if the user used to connect to the db has the privileges Commented Jul 21, 2011 at 8:58

4 Answers 4

5

Usually you will use the injection to collect admin passwords (or the token emailed via a password reset page), then login to the admin part and do the stuff from there.

answered Jul 21, 2011 at 8:49
2
  • so it's mean that if password are hashed, there is no risk to alterate the database??? Commented Jul 21, 2011 at 9:08
  • 1
    You missed what I said about the email reset token. The person uses the "I forgot my password link". This puts a reset token in the database, which is also sent via email - the cracker never gets the email, but he can see the token right in the database, and pretends he got the email, then changes the password. Commented Jul 21, 2011 at 9:12
3

Here is the tutorial for testing the sql injection

Sql Injection Tutorial

answered Jul 21, 2011 at 8:52
1
  • yeah, but the only thing which can modify my website is the example with the $name_evil = "'; DELETE FROM customers WHERE 1 or username = '"; , and this can't work because mysql_query only execute one query Commented Jul 21, 2011 at 9:17
3

mysql_query() executes only one query exactly for the purpose to protect you from alter/drop/insert/update/delete statements if you are vulnerable to sql injection. But what if the vulnerable code is INSERT, UPDATE or DELETE statement? Then you can delete all rows, modifying the where, or maybe you could add another row, if you can add '), (<values>)' to the query, or you can update the access_level of the user, even if the original query updates only the password (if the password field is not escaped, and user enters ", access_level=1 for the password

answered Jul 21, 2011 at 9:26
2

if your intention is to alter data in MySQL with sql injection without administrative privileges then you **can't ** . Although it's possible with SQL server . . below table let you to explain it

answered Jul 23, 2011 at 9:09

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.